dongyuqie4322 2016-02-01 13:00
浏览 28
已采纳

简单的PDO暴力查询不起作用

I'm trying to check attempted logins by the user has committed. For some reason it skips even tough I have 7 entries in my database, +1 of reach try, with similar IP and user_id.

This is my query, full code can be found here.

// BRUTE FORCE CHECK
$remote_ip = $_SERVER['REMOTE_ADDR'];

$sql = "
SELECT  attempt_nr 
FROM    users_login_attempts 
WHERE   user_id = :userid 
AND     time > NOW() - INTERVAL 1 HOUR 
AND     user_ip = :userip
";

$results = $db_connect->prepare($sql);
if ($results->execute(array(':userid' => $user_id,':userip' => $remote_ip))){
    $count_tries = $results->rowCount();
    if ($count_tries < 5) {
        // DO SOMETHING IF LIMIT IS NOT REACHED
    }
    else { 
        // RETURN FAILURE 
    }

How come the user skips this part?

IMAGES: TABLE STRUCTURE

enter image description here

TABLE

enter image description here

MY CODE

enter image description here

THE VAR_DUMP RESULT

enter image description here

  • 写回答

1条回答 默认 最新

  • doubeng1278 2016-02-01 13:41
    关注

    From phpdoc:

    PDOStatement::rowCount() returns the number of rows affected by the last DELETE, INSERT, or UPDATE statement executed by the corresponding PDOStatement object.

    If the last SQL statement executed by the associated PDOStatement was a SELECT statement, some databases may return the number of rows returned by that statement. However, this behaviour is not guaranteed for all databases and should not be relied on for portable applications.

    Note the suggestion against using rowCount for select queries. Instead, I would change your code like this:

    $sql = "
    SELECT  count(*) AS attempt_nr
    FROM    users_login_attempts 
    WHERE   user_id = :userid 
    AND     time > DATE_ADD(NOW(), INTERVAL -1 HOUR)
    AND     user_ip = :userip
    ";
    
    $results = $db_connect->prepare($sql);
    if ($results->execute(array(':userid' => $user_id,':userip' => $remote_ip))) {
        $row = $results->fetch(PDO::FETCH_ASSOC);
        $count_tries = $row['attempt_nr'];
        if ($count_tries < 5) {
            // DO SOMETHING IF LIMIT IS NOT REACHED
        }
        else { 
            // RETURN FAILURE 
        }
    }
    

    In addition, note that with the code working correctly, you'll effectively lock your users out after 5 unsuccessful login attempts even if the user logged in successfully in between them, therefore you'll need to also ensure to clear the unsuccessful history on successful login or make your sql more complex to account for this.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 输出区间内所有的完数的个数。 要简单点的程序
  • ¥15 asp.core 权限控制怎么做,需要控制到每个方法
  • ¥20 while循环中OLED显示中断中的数据不正确
  • ¥15 这个视频里的stm32f4代码是怎么写的
  • ¥15 串口发送数据和接收数据
  • ¥15 JNA调用DLL报堆栈溢出错误(0xC00000FD)
  • ¥15 请教SGeMs软件的使用
  • ¥15 自己用vb.net编写了一个dll文件,如何只给授权的用户使用这个dll文件进行打包编译,未授权用户不能进行打包编译操作?
  • ¥50 深度学习运行代码直接中断
  • ¥20 需要完整的共散射点成像代码